Is your processing legit? Using a legitimate interest assessment to process data under the GDPR

Legitimate interest assessment: a new development?

EU regulators have been issuing guidelines to clarify their respective opinions on the use of legitimate interest. This guidance tends to indicate that companies need to be discerning when relying on legitimate interest as the basis for data processing and should follow procedure to complete a legitimate interest assessment. The UK’s supervisory authority, the Information Commissioner’s Office (ICO), was amongst the vocal regulators, publishing guidelines[1] which correlate closely with an earlier opinion issued by Article 29 Working Party (WP29) in 2014.[2] They state that legitimate interest is the most flexible of the six legal grounds for processing data; the remaining five being consent, contract, legal obligation, vital interest and public task[3]. This flexibility is achieved by removing the need to obtain further consent from individuals before processing their data[4]. As a result, data controllers and processors alike appear to be relying more and more on legitimate interest as a basis for carrying out certain processing activities.

What is legitimate interest, and what is changing?

“The legitimate interests of any third party, including wider benefits to society”. This means that there is a wide range of potential interests for which it would be possible to justify processing data without consent. The ICO has restricted this wide definition in stating that an interest will only be legitimate when the thresholds of legitimacy and necessity are balanced against the interests of individuals, or to use the legal jargon; when subsidiarity[5] is effectively counterbalanced with proportionality[6]. This is a development from the UK Data Protection Act 1998 (DPA) under which the idea of proportionality was not as dominant. It is important that controllers and processors alike take note of this change as it means that what was once a legitimate interest under the DPA, may not legally be classed as such under the GDPR[7].

When is the use of legitimate interest justified?

This comes down to one question to be considered on a case-by-case basis: in the circumstances, would you reasonably expect your data to be processed? If the answer is yes, it is quite likely that controllers and processors will be justified in their reliance on legitimate interest. To illustrate this, imagine you posted your CV on a job board website. It would be unreasonable for you to be consumed with rage if you were subsequently contacted by recruiters[8]. The very reason you posted the CV is in the hope of being inundated with offers for dream jobs. Assume now that you were offered and have accepted your (dream) job. One of your next moves might be to feverishly unsubscribe from all daily job board emails and to amend your settings on social media sites to state that you were no longer available for new positions. At this stage it would be reasonable to expect no further contact from recruiters. If you were still contacted, your personal interests will have been disregarded, legitimate interest will not be justified, and don’t forget, it would have been a total waste of time for both parties.

How are the other regulators reacting?

How does the ICO’s guidance compare to that of other supervisory authorities? We have compared the guidelines released by the Garante, the Autoriteit Persoonsgegevens and the Data Protection Commissioner, respectively the Italian, Dutch and Irish regulators.

· Italy: Under current law, the Garante requires prior notice before reliance is made on legitimate interest. It then evaluates the validity of its use, and if it is not satisfactory, it may request the processor to cease the offending activity[9]. However, as part of their recently published guidelines[10], the Garante has accepted that the GDPR requires an element of self-policing on this matter. It does still insist that it will intervene if controllers or processors are deemed not to be effectively self-evaluating. Presumably this intervention will link to the amount of complaints received about a particular controller or processor.

· Netherlands: The Autoriteit Persoonsgegevens (AP), focuses in on the element of transparency. It states that stakeholders should be given the option to oppose the processing of their personal data[11]. This would imply that individuals should be notified before their data is further processed. Thus, like the ICO, the AP guidelines lean more towards the importance of balancing individuals’ interests. The AP’s guidelines also draw on the importance of fraud prevention and the restriction of direct marketing, stating that the use of legitimate interest for these purposes will be justified.

· Ireland: Data sharing forms the basis for guidelines released by the Data Protection Commissioner (DPC). They state that sharing data from controller to controller (e.g. posting details to an industry-wide database) will also need to be necessary and justified as part of the balance of legitimate interest. Prior to such sharing, the individuals concerned must have at least been reliably informed of the controller’s intentions[12].

How could these changes impact your business?

When relied upon correctly, legitimate interest could actually facilitate efficiency, innovation and business growth. In order to achieve this efficiency, as well as GDPR compliance, regulators recommend completing a Legitimate Interest Assessment (LIA). This assessment tests whether the thresholds of legitimacy, subsidiarity and proportionality have all been attained[13]. Regulators have given helpful examples as to when all three tests are satisfied, such as, the use of employee data to process payroll, or an insurance company processing data to spot fraudulent claims. An element of ongoing monitoring and renew of LIAs will be required as circumstances change. If, for example, an individual opts out of direct marketing, it is a requirement, under Directive 2002/58/EC (the ePrivacy Directive) that this individual’s request not to be contacted is respected[14]. It is therefore vital for companies to have the infrastructure in place to react to individuals exercising their rights in order to satisfy the balancing test required for legitimate interest.

Why is compliance with these rules important?

As discussed, the correct application of legitimate interest could actually improve the efficiency of business innovation and efficiency and provide market advantage. The threat of fines and the reputational damage that will come with not complying with the GDPR provisions provides sufficient incentive to consider and properly apply the LIA requirements. Conversely great business opportunities await companies who understand and properly apply the legitimate interest requirements.

We’d be interested to hear of any challenges or successes you’ve had in relying on the legitimate interest ground as a basis for processing and if you’ve successfully applied a legitimate interest assessment.

HewardMills

[1] Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data [2016] OJ L 119/1 (hereafter: The General Data Protection Act, or GDPR)

[2] Article 29 Data Protection Working Party, ‘Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC’ (2014) <http://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf> accessed at 15 April 2018.

[3] Information Commissioner’s Office, ‘Lawful basis for processing’ (2018)<https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/>

[4] Information Commissioner’s Office, ‘Legitimate interests. Lawful basis for processing’ (2018), 23 <https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests-1-0.pdf> accessed at 13 April 2018. (hereafter: ICO Guidelines)

[5] Subsidiarity in this context shall mean that one needs to take into account all possible means to preserve the individual’s interests, rights or freedoms before invoking a legitimate interest.

[6] ICO Guidelines, 14

[7] ICO Guidelines, 11

[8] ICO Guidelines, 20

[9] Personal Data Protection Code, Legislative Decree no. 196 2003, Article 24(1)(g) (Available at: http://194.242.234.211/documents/10160/2012405/Personal+Data+Protection+Code+-+Legislat.+Decree+no.196+of+30+June+2003.pdf)

[10] Garante per la protezione dei dati personali, ‘Guida all’applicazione del Regolamento europeo in materia di protezione dei dati personali’ (2018) <http://www.garanteprivacy.it/regolamentoue/fondamenti-di-liceita-del-trattamento> accessed at 19 April.

[11] Ministerie van Justitie en Veiligheid, ‘Handleiding Algemene verordening gegevensbescherming’ (2018), 40. <https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/handleidingalgemeneverordeninggegevensbescherming.pdf> accessed at 19 April 2018

[12] Data Protection Commissioner, ‘Guidelines in relation to legal basis for private sector sharing of personal data’ (DPC, 2018) <www.dataprotection.ie/docs/Commissioner-launches-new-guidance-on-data-sharing-in-the-private-sector/530.htm> accessed at 20 April

[13] For example: ICO, ‘Legitimate interests’ (ICO, 2018) <https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/> accessed at 20 April 2018

[14] ICO Guidelines, 6